CVE-2025-15345 Plugins CVE debrief

Who should care

Administrators and security teams responsible for WordPress sites running the MapGeo – Interactive Geo Maps plugin, especially installations that expose the display-map shortcode to public-facing pages.

Technical summary

The advisory maps this issue to CWE-80 and gives a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1, Medium). The vulnerable code path is the display-map shortcode, where the map parameter was not sufficiently sanitized or escaped before being reflected into the page. The referenced WordPress changeset indicates the fix is present in version 1.6.28.

Defensive priority

Medium. This is not marked as KEV in the supplied data and no active exploitation or ransomware linkage is provided in the corpus, but it is unauthenticated, network-reachable in typical web deployments, and can lead to script execution in users’ browsers.

Recommended defensive actions

• Upgrade MapGeo – Interactive Geo Maps to version 1.6.28 or later.
• Review any public pages or posts using the display-map shortcode and verify they are rendering safely after the update.
• If immediate upgrading is not possible, limit exposure of affected pages and reduce access to trusted users until patched.
• Inspect browser-side logs and site content for unexpected script injection in pages that use the plugin.
• Track the official advisory and WordPress plugin changeset for any follow-on fixes or clarifications.

Evidence notes

The supplied GitHub advisory states the vulnerability affects all versions up to and including 1.6.27 and that the issue is due to insufficient input sanitization and output escaping in the display-map shortcode’s map parameter. The WordPress Trac changeset reference indicates the fix path from 1.6.27 to 1.6.28. The NVD and CVE.org links identify the record for CVE-2025-15345. No KEV listing is present in the supplied timeline/enrichment, and no exploitation evidence is included in the corpus.

Official resources